I don't see the point. Flash is bundled and enabled by default in Chrome. As long as Google doesn't drop Flash (and they've made it clear they're not going to do this on desktop), Flash security is very much a Chrome problem.
It matters because including flash with chrome is an act of realism. If the user runs firefox, safari or another browser they're still going to be susceptible to the same bug - it simply won't be attributed to the browser because the user was the one that installed the plugin. By including the plugin by default they're solving a significantly larger problem than zero days, namely users that fail to update their plugins on a timely basis (or plugins that fail to provide a reasonable upgrade path). If the security world insisted on a technical interpretation (you shipped it so it's your bug) it would be effectively discouraging a process that is net security positive - and that's the reason a distinction is made. Note that even VUPEN - whose business of selling fully weaponized exploits makes them a natural enemy of better security - tacitly admits the difference by refusing to admit the use of a flash bug. If they really considered it a non-issue they'd be freely admitting what they're exploiting. The difference? High security chrome installations often in use by the kind of targets their government customers have will frequently have flash disabled or set to click to play.
Shipping flash is a net security positive? I'd suggest that removing flash would be a net security positive. Flash will be gone from mobile within a year, and gone from the desktop within two-three years, so anything the vendors can do to expedite this process will be appreciated by the community at large and make us all more secure.
removing flash would be better, but right now it's not an option. mobile web is very very new and it was built without flash, the desktop version is not so much. not even google can fully and immediately drop flash
It's been made clear that not bundling Flash is a sustainable act, if you have the guts to do it. Apple had. Google doesn't. If Google took a firmer stance there, Flash would be dead faster.
I think it's utterly ridiculous to take the stance that Flash is moving towards dead on desktop devices. Flash is effectively dead on mobile, and that primarily for battery reasons. Flash is still very much a big part of the desktop web, and will be for the foreseeable future.
And it definitely should not be until they sort their security and stop pissing around with Linux. Flash is proprietary, crashy, bullshit that can't die sooner. The only advantage it has for video is pretty neat streaming support that could most likely be solved in other ways, and being able to place adverts over the damn video.
Nobody will deny that it's full of security holes, a resource hog, and woefully undersupported on Linux. But I also think it's pissing into the wind to claim that we have equivalent solutions and it's just a matter of waiting for Flash to die now.
We're making progress in that direction, but it's going to be years before there's a significant dent made.
Although it is true there are security problems, it is silly to think that is something unique for flash. WebGl is probably the most insecure plugin right now, largely because there is no one company responsible for upgrading it. Although there are problems with flash, Adobe seem to have high priority on patching it. canvas/webGl/SVG can't deliver yet.
What for, though? I'm another Flashblock user and it seems to lose me ads and videos. The ads don't benefit me anyway, the videos are now capable of being deployed by other means; it's just the vendors haven't yet caught up.
Flash is on life support, and I don't see a way back for it.
Audio is a big one. The HTML5 audio APIs just haven't caught up yet. Live video, as mentioned elsewhere, is big as well. The vast majority of web games are still Flash, as well. Even video delivery is more robust with flash than with HTML5 - ever tried doing a preroll on an HTML5 <video> tag? Notice that it basically...doesn't work?
Flash is certainly has less of a monopoly on "interactive web content" than it once did, but it still fills an extremely important and currently unreplacable role on the web. To be ringing its death toll just yet is premature.
Indeed, the audio tag is basically entirely broken and unusable in a general sense... Most comical is android supporting the tag but not any audio decoding codecs.
Google could run Flash in a VM. Or they could re-implement it (as Mozilla is doing). Or they could buy it from Adobe (they're Google). Or they could pay Adobe to write a version that uses the sandbox. Or they could just stop shipping it.
They aren't fooling anyone. It's Google's problem.
Google could run Flash in a VM. Or they could re-implement it (as Mozilla is doing). [...] Or they could pay Adobe to write a version that uses the sandbox.
Isn't the nacl+pepper flash rewrite effectively the result of doing a bit of all three?
Exactly. Saying "that wasn't a real exploit!", as the Chrome security team often does, is counterproductive at best and childish at worst. Security exists to protect users, not to boost Google's ego. When there is a hole, it doesn't matter where it is: it's a flaw in Chrome, it's Google's responsibility as the vendor of Chrome, and it needs to be fixed.
The point of the contest, from Google's perspective, is to discover vulnerabilities so that they can patch them. Allowing teams to find vulnerabilities in code Google doesn't control does not serve that purpose.
I don't think this has been publicly admitted. I'm fairly certain for 3 reasons though:
1) Google contributes tons of security fixes to Flash.
2) Google announced they will rework Linux Flash to use PPAPI and make it Chrome only. Adobe seems to have abandoned Linux Flash entirely. Logical conclusion is what Google will do this themselves - and they'll need the source code for that.
3) Android shipped with Flash and Google pushed it as a major feature over iOS. This also points to strong collaboration. Android had Flash very early - much earlier than Adobe could have done it themselves.
I admit I was also trolling here to see if one of the Google security guys (who already posted in other threads regarding this) would bite and deny it - in which case I have an indication to the contrary :-)
Google's Chrome team has full access to Adobe's Flash code. The Chrome team maintains their own Flash builds and releases. That's how they can do things like Pepper, even if Adobe doesn't care about Pepper for other platforms. There have been news stories about Chrome updating their Flash a day or two before Adobe, thus revealing security holes in other browsers' Flash.
Google's Android team, for mysterious lawyery reasons, does not access to any Flash code. Adobe had an army of 10-20 engineers and QA working exclusively on Flash for Android. (This is yet another example that Android's device fragmentation is an expensive problem and requires lots of manpower.)
The source code for Flash is not exactly a closely guarded secret, there are quite a few companies that have licenses to it. I'd be shocked if Google wasn't one of them.
I haven't seen a flash-block implementation in chrome that hinders execution of flash. Often the flash is able to load before it is blocked which kind of defeats the purpose (from a security standpoint). Or have I missed something?
Can't believe I didn't know about that. But I can't find it? (all I can find is that is supposed to be in about:flags) Is it available in stable chrome releases?
Edit:
Never find what I'm looking for in chrome settings...
It's in Options -> Under the hood -> Content settings...
(or just chrome://settings/content ) and then you can enable click-to-play under plugins.
It is not their program, they can't do much about it and everyone else has also Flash installed. In reality this vulnerability is present on 99% of all devices and not just chrome. Compare Flash having a sandbox, to all the other browsers who don't have one. In the end, Chrome is by far the most secure browser.
The problem is that an outdated, unsandboxed version of Flash is installed on almost every desktop system. So, if we stopped including Flash, the vast majority of our users would be more vulnerable than they already are. That's why we're shipping a current version with a sandbox that's at least as good as IE low integrity mode, and we're also wrapping up work on a version of Flash that uses the full Chrome sandbox.
If Chrome didn't bundle a better version of flash, and didn't use the system version of flash, users would find out that Chrome is "broken" the first time they got to a page with flash. Then they would switch to Firefox, Opera, or even IE if they're on windows. Those browsers do use the system flash plugins. Who wins? Not security.
If Chrome didn't bundle a modified version, and prompted the user to select a Flash version, the only one they could offer would be the system one.
Unless you're saying that the Chrome team should go to all the effort to build a custom version of flash, but only deliver it to Chrome browsers when the user specifically requests it? That strategy seems DOA from a cost/benefit analysis perspective.
I wouldn't say it backfired, but after releasing we did discover that some Flash obfuscators used on games behave almost identically to a JIT spray attack. This is a shame because their obfuscation technique doesn't really add any value, but it does hurt performance, consume very large amounts of memory, and negatively impact stability. We've adjusted the detection to accommodate, and will make further adjustments as necessary.
Based on what Justin said, it sounds like what they tried to add is a defense against JIT spray attacks, not just a detector, which, if effective, would actually be pretty valuable. JIT spray attacks are pretty dangerous, because they defeat many of the usual protections against exploiting buffer overflows for code execution (e.g. DEP and ASLR on Windows). So it certainly would be valuable to try to defend against these kind of attacks, if that is what the Chrome folks were doing.
Apparently it was not effective in the end, but we may never know, since VUPEN doesn't plan to disclose how they escaped the Chrome sandbox.
Yeah Maciej, that's the gist. The VUPEN guys told us it was effective at preventing the JIT spray, so they used an information leak to bypass ASLR/DEP.
To their credit, they pushed a fix the very next day. I would call that very minimal collateral damage. Google took responsibility in a timely manner for a non-critical bug.
What would you suggest as an alternative? Not bundle flash? Then people will just download it anyway and many will end up with an old vulnerable version. At least with this the user can stay updated automatically with Chrome. The alternative is a net security net negative.
Because Java applets are not that popular anymore so there isn't much of a need. Javascript graphic apps are still slow, lack the smoothness and an experienced developer community that would build new games/apps or port old ones. As sad as it may be to accept it, flash is more popular and fully featured than most alernatives.
Who knows, Unity3D will substitute it for games, HTML5 Video /Sound for playing videos. While that happens, we will soon realize that Unity3D is another plugin-in-browser solution and might be (and I am just speculating here) vulnerable to issues similar to flash; while content providers will stop pushing video content because of lack of DRM like technology with HTML5 Videos. Please note that I am NOT supporting/rejecting any of the mentioned technologies; this is just a reply to a straw man argument.
I don't know about java being unpopular according to this site (first i could find in google) -> http://www.statowl.com/plugin_overview.php it has 75% of market share, second to flash with 95%. if you have some other numbers I would like to hear it.
Having the capability of loading applets is, I consider, not to be the same as popularity of applets. I am unable to produce any citation that talks about popularity of applets except this SO thread: http://stackoverflow.com/questions/51390/where-did-all-the-j...
But the lack of applets is pretty apparent to me. I come across Flash almost hourly while my last few encounters with Java Applets were academic demos 2 years back.
The change causes a specific exception when a style of attack known as a JIT spraying attack is detected. The exception generates a minidump which is uploaded to Google's crash servers.
Similar to how some OSX binaries are protected against running on Hackintoshes with a rather simple plain text key... that when extracted is a poem telling you not to pirate Mac OS: http://www.osxbook.com/book/bonus/chapter7/binaryprotection/
Anyone got any technical details about this? Judging from the "trap backfired" link posted elsewhere in the comments, somehow Chrome can ensure the specific flash crash ends up accessing invalid memory at 0xABAD1DEA... but how?
I feel a little uneasy about a quickly coded 'trap' being quickly auto-deployed to tens of millions of machines automatically in a code fix that's supposed to be about fixing security, only with the intention of making a cute statement in the cat & mouse game they're playing with the white/grey hats.
The claims of it backfiring in the other comments only make me more uneasy about all this. I hope they gave a good thought about a 'user first and cute tricks later' mentality. Don't put 200 million+ users into the crossfire. Or maybe all this is not a big deal at all.
You seem to be reading this as "Google knew about an exploit and could have fixed it, but instead chose to leave a cute message." To me, it sounds more like Google knew what kinds of exploits people were likely to try and put in code that would detect some attempts and give a cute error message. The fact that Vupen later succeeded with a similar exploit basically just proves Google hasn't solved the halting problem, not that they intentionally left an exploit in (unless you consider Abobe Flash itself to be an exploit).
No, it's like being the mayor of a town but there's this one area you don't have control over but still had to give the OK to let build and all the burglars keep getting in through that ar—
On second thought, this is like a software vendor including a knowingly-insecure program with their product and then discounting exploits because they used that included program.
